JUNOS PULSE APPCONNECT



Similar documents
PULSE APPCONNECT. A Micro VPN That Allows Specific Applications on Mobile Devices to Independently Leverage the Connect Secure Gateway.

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

JUNIPER CARE PLUS ADVANCED SERVICES CREDITS

TOPOLOGY-INDEPENDENT IN-SERVICE SOFTWARE UPGRADES ON THE QFX5100

Junos Pulse Access Control Service 4.4R4-MDM Supported Platforms Document

COORDINATED THREAT CONTROL

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

SECURING TODAY S MOBILE WORKFORCE

Configuring and Implementing A10

SECURE ACCESS TO THE VIRTUAL DATA CENTER

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Junos Space Virtual Control

Junos Pulse Secure Access Service Enables Service Providers to Deliver Scalable and On-Demand, Cloud-Based Deployments with Simplicity and Agility

Customer Benefits Through Automation with SDN and NFV

Junos Space for Android: Manage Your Network on the Go

IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

Junos Pulse. Windows In-Box Junos Pulse Client Quick Start Guide. Published: Copyright 2013, Juniper Networks, Inc.

vsrx Services Gateway: Protecting the Hybrid Data Center

AppConnect FAQ for MobileIron Technology Partners! AppConnect Overview

Juniper Care Plus Services

Networks that know data center virtualization

ALTERNATIVES FOR SECURING VIRTUAL NETWORKS

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Reasons to Choose the Juniper ON Enterprise Network

Introduction to the Mobile Access Gateway

Securing Office 365 with MobileIron

Introduction to the AirWatch Browser Guide

The Global Attacker Security Intelligence Service Explained

Networks that virtualization

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

Configuration Guide BES12. Version 12.1

How To Integrate An Ipm With Airwatch With Big Ip On A Server With A Network (F5) On A Network With A Pb (Fiv) On An Ip Server On A Cloud (Fv) On Your Computer Or Ip

Juniper Solutions for Turnkey, Managed Cloud Services

Configuration Guide BES12. Version 12.2

Copyright 2013, 3CX Ltd.

Deployment Guide Sept-2014 rev. a. Array Networks Deployment Guide: AG Series and DesktopDirect with VMware Horizon View 5.2

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

PULSE SECURE FOR GOOGLE ANDROID

White Paper. Five Steps to Firewall Planning and Design

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

Juniper Optimum Care. Service Description. Continuous Improvement. Your ideas. Connected. Data Sheet. Service Overview

JUNOS SPACE SECURITY DIRECTOR

Networks that know data center automation

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Juniper Networks Automated Support and Prevention Solution (ASAP)

Network and Security. Product Description. Product Overview. Architecture and Key Components DATASHEET

SA Series SSL VPN Virtual Appliances

PERFORMANCE VALIDATION OF JUNIPER NETWORKS SRX5800 SERVICES GATEWAY

Introduction to Mobile Access Gateway Installation

Kaspersky Lab Mobile Device Management Deployment Guide

Configuration Guide BES12. Version 12.3

Transforming Service Life Cycle Through Automation with SDN and NFV

Platform Guide. SA Supported Platforms. Service Package Version 7.4R1

Mobile Device Management Version 8. Last updated:

Platform Guide. SA Supported Platforms. Service Package Version 7.3R1

Welcome! Thank you! mobco about mobile samsung about devices mobileiron about mobile IT accellion on mobile documents hands-on devices and race karts

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

TECHNICAL NOTE INSTALLING AND CONFIGURING ALE USING A CLI. Installing the Adaptive Log Exporter

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

PRODUCT CATEGORY BROCHURE

Configuring and Deploying the Dynamic VPN Feature Using SRX Series Services Gateways

SEVEN MYTHS OF CONTROLLER- LESS WIRELESS LANS

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Junos Pulse: A Day in the Life of the Mobile Worker

Juniper Networks Secure

MIGRATING TO A 40 GBPS DATA CENTER

Junos Pulse. Administration Guide. Release 3.0. Published: Copyright 2012, Juniper Networks, Inc.

RSA SecurID Ready Implementation Guide

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

Pulse Connect Secure. Supported Platforms Guide. Product Release 8.1. Document Revision 9.0 Published:

Juniper SSL VPN Authentication QUICKStart Guide

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

VMware vcloud Air Networking Guide

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

How To Make A Cloud Service More Profitable

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

Installing and Configuring vcloud Connector

Securing your Juniper SSL VPN with two-factor authentication.

Pulse Policy Secure. Supported Platforms Guide. Product Release 5.1. Document Revision 1.0 Published:

Platform Guide. SA Supported Platforms. Service Package Version 7.2R1

Requirements on terminals and network Telia Secure Remote User, TSRU (version 7.3 R6)

SoLuTIoN guide. CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork

Service Automation Made Easy

Pulse Connect Secure. Supported Platforms Guide. Product Release 8.1. Document Revision 3.0 Published:

Symantec Mobile Management 7.2 MR1Quick-start Guide

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Junos Pulse: Securing Today s Mobile Life

Symantec On-Demand Protection 2.6 Juniper IVE SSL VPN 5.2 Integration Guide

GlobalProtect Configuration for IPsec Client on Apple ios Devices

An Overview of Samsung KNOX Active Directory and Group Policy Features

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

MTP. MTP AirWatch Integration Guide. Release 1.0

SECURE CLOUD CONNECTIVITY FOR VIRTUAL PRIVATE NETWORKS

SAM Context-Based Authentication Using Juniper SA Integration Guide

Transcription:

White Paper JUNOS PULSE APPCONNECT A Micro VPN That Allows Specific Applications on Mobile Devices to Independently Leverage the Connect Secure Gateway Copyright 2014, Juniper Networks, Inc. 1

Table of Contents Executive Summary...3 Introduction...3 Prerequisites.....................................................................................................3 Technical Details...3 Connect Secure Gateway Configuration... 4 Deployment Models... 5 ios 7 Per-App VPN... 5 MobileIron Deployment (ios 7 only)... 6 AirWatch Deployment (ios 7 only)...7 Samsung KNOX... 9 AppConnect SDK... 9 PAC License... 9 Conclusion... 9 About Juniper Networks...10 2 Copyright 2014, Juniper Networks, Inc.

Executive Summary Juniper Networks Junos Pulse AppConnect is a micro VPN solution that runs on mobile devices (ios and Android) to enable encrypted communications between specific applications (via AppConnect tunnels) and a Juniper Networks Junos Pulse Connect Secure gateway (Juniper Networks SA Series SSL VPN Appliances or MAG Series Junos Pulse gateways, formerly Junos Pulse Secure Access Service or SSL VPN). It allows enterprise-level IT administrators to secure sensitive data transactions between remote mobile devices and the enterprise network. Unlike a standard Layer 3 VPN, the administrator has some discretion as to which applications leverage the AppConnect tunnel. This creates an environment where only sensitive enterprise data travel back to the enterprise network, leaving all nonsensitive (personal) data to travel over standard data paths from the device to the Internet. Introduction There are three core deployment models, each with specific use cases and requirements. The deployment models are: 1) ios 7 Per-App VPN (requires third-party MDM solution to deploy) 2) Samsung KNOX VPN 3) AppConnect SDK While AppConnect is a software-based solution installed on mobile devices, it requires Connect Secure hardware or a virtualized Connect Secure environment in order to terminate AppConnect tunnels, as well as an enablement license, called a PAC license (Pulse AppConnect license), for each physical device that does accept AppConnect tunnels from mobile devices. Virtual Connect Secure deployments do not currently require the PAC license. Depending on the deployment model, additional third-party solutions might be required. Such solutions include MobileIron, AirWatch, or any other MDM solution that allows the administrator to define and deploy ios 7 Per-App VPN settings. Such third-party MDM solutions can also be directly integrated with newer versions of the Connect Secure (version 8.x or later), allowing even more control over access policies for mobile devices. This creates a robust and secure environment where mobile devices can be trusted to remotely access and leverage sensitive enterprise data located on the enterprise network. Prerequisites The deployment model that best suits a given enterprise is defined by a few simple questions. 1) Do you deploy managed or proprietary mobile applications? a. Yes All three deployment models can be leveraged to secure data transactions of managed or proprietary applications. b. No Samsung KNOX can still be used to secure data transactions of KNOX-based applications, and ios 7 Per-App VPN can still be used to secure the Safari browser. The AppConnect SDK cannot be leveraged. 2) Do you have an existing MDM deployment that supports ios 7 Per-App VPN settings? a. Yes The ios7 deployment model can be leveraged. b. No Only the KNOX or AppConnect SDK deployment models can be leveraged. 3) Do you have existing Connect Secure Gateway(s)? (SA Series or MAG Series hardware or a virtualized Connect Secure environment, software version 7.2 or later) a. Yes You need to add a PAC license to each physical gateway in order to accept AppConnect tunnels. b. No The AppConnect solution cannot be deployed in any fashion. You must purchase a MAG appliance or virtual appliance to terminate AppConnect tunnels. Technical Details AppConnect tunnels leverage WSAM technology on the Connect Secure gateway. There are settings that must be configured on the gateway in order for mobile devices to leverage WSAM. AppConnect tunnels consume one concurrent session/license per AppConnect tunnel. The number of concurrent licenses a single device can, or does, consume differs based on the implementation, deployment, and use case of the AppConnect tunnels. The gateway must be running software version 7.2 or later. In situations where multiple connections are opened between a device and the Connect Secure Gateway, connection limits are 124 per device (Connect Secure version 8.0R3 and later, 64 connections per device for earlier versions of the Connect Secure Gateway). Copyright 2014, Juniper Networks, Inc. 3

Connect Secure Gateway Configuration The following is a step-by-step guide showing how to configure the Connect Secure gateway. The administrator creates a user realm and role(s), defines role mapping, creates a sign-in policy, and enables the WSAM and VPN settings. Optionally, MobileIron or AirWatch MDM servers can be linked to the SA Series to allow additional Host Checker rules. More details regarding MobileIron and AirWatch integration into the Connect Secure gateway can be found here. 1) Create a new User Realm. Optional: Device Attributes. 2) Optional: Create a new sign-in URL to be used when connecting a mobile device via AppConnect. 3) Add the newly created user realm to the selected realms list. 4 Copyright 2014, Juniper Networks, Inc.

4) Define role-mapping options for the realm. 5) Turn on WSAM and VPN tunneling in the role(s) used for AppConnect-enabled devices. Deployment Models There are three core deployment models, each with specific use cases and requirements. The deployment models are ios 7 Per-App VPN, Samsung KNOX VPN, and AppConnect SDK. Additionally, the ios 7 Per-App VPN deployment model also requires the use of a third-party MDM provider. ios 7 Per-App VPN Apple has created a set of MDM APIs, referred to as ios 7 Per-App VPN, and opened them up to MDM providers. These settings allow a device administrator to define a list of applications that leverage a VPN. This differs from previous versions of the Apple MDM VPN APIs. Previously, an administrator could only define a device-wide (Layer 3) VPN. Now, in ios 7, not only can the administrator define a VPN connection, but the administrator can also define which managed applications have access to the VPN. This leaves all personal or nonsensitive applications (as defined by the administrator) to connect to the Internet directly, without the use of the VPN. As with all other Apple MDM APIs, the administrator must leverage an MDM provider to push and manage these settings on the end user s ios device. In the case of ios 7, the Juniper Networks Junos Pulse application (version 5.0R4 or later) must be installed on the end user s device for the device OS to be able to open AppConnect tunnels terminating on a Connect Secure gateway. The Junos Pulse application includes a system-level plug-in that is activated by the ios 7 Per-App VPN settings. End users must open Junos Pulse and accept the End User License Agreement (EULA) to enable the plug-in. Copyright 2014, Juniper Networks, Inc. 5

Two main limitations are currently applied to applications that leverage the ios 7 Per-App VPN. These limitations are created by Apple s current implementation of the ios 7 Per-App VPN APIs and are subject to change in any future ios release. The limitations are not unique to Juniper s implementations of AppConnect. 1) Only managed applications are able to leverage the ios 7 Per-App VPN. a. A managed application is one that has been installed on the end user s device via an MDM solution. b. In addition to managed applications, Safari can be forced over the AppConnect tunnel. 2) Only TCP is currently supported (UDP support is expected in a future release). a. UDP packets that travel over the ios 7 Per-App VPN are dropped from the network stack by the system. b. Any application that sends data using the UDP protocol fails to function if added to the IiOS7 Per-App VPN. The deployment steps to enable ios 7 Per-App VPN differ based on the currently deployed MDM solution. The following are two step-by-step examples of the most common MDM solutions, MobileIron and AirWatch. MobileIron Deployment (ios 7 only) It is presumed that the administrator has a basic understanding of the MobileIron solution. For additional details, please refer to the MobileIron documentation. MobileIron requires an additional license to enable Per-App VPN settings. All details of integration are subject to change. This deployment is for MobileIron version VSP 5.9.2 Build 11. 1) Once logged in to the MobileIron server, navigate to Policies & Configs. Click on Add New in the drop-down menu and select VPN. MobileIron requires the use of certificate authentication. Optionally, the administrator can configure Safari Domains or VPN on Demand. 2) After a VPN profile has been set up, the administrator can now apply the profile to individual managed applications. Navigate to the Apps tab, and change the Selected Platform to ios. Selecting the edit option for a given application brings up settings for that application. Find the Per-App VPN setting and select the newly created VPN profile in the drop-down menu. Click Save. Repeat for each and every application that needs to send data over the VPN. 6 Copyright 2014, Juniper Networks, Inc.

AirWatch Deployment (ios 7 only) It is presumed that the administrator has a basic understanding of the AirWatch solution. For additional details, please refer to the AirWatch documentation. All details of integration are subject to change. This deployment is for AirWatch version 7.1. 1) Log in to the AirWatch console and navigate to Devices, Profiles, List View, and select +Add. From here, select ios and then VPN from the ios drop-down menu. Copyright 2014, Juniper Networks, Inc. 7

2) Fill out the VPN profile and choose connection and authentication settings. Click Save. 3) Navigate to the Apps & Books tab. Locate each ios application in a managed application list that needs to send data over the VPN, and edit the application settings. In the Deployment tab of the application settings, enable the Use VPN check box. 8 Copyright 2014, Juniper Networks, Inc.

Samsung KNOX Samsung KNOX is an enterprise-level application container offered by Samsung on select devices and firmware versions. Samsung KNOX enables the user to have a dual persona device. All personal applications and data reside outside the KNOX container. All sensitive enterprise applications and data reside inside the KNOX container. The KNOX container can be described as a virtual machine. All data and processes inside the container are only accessible from inside the container. Samsung has leveraged the AppConnect SDK to allow the device to pass all Internet communications that originate or terminate inside the KNOX container through a Connect Secure gateway via an AppConnect tunnel. Unlike ios 7 Per-App VPN, the AppConnect tunnel is leveraged by the KNOX container, rather than individual applications. More details are expected to be provided when Samsung publicly releases the version of KNOX that includes AppConnect integration. AppConnect SDK The AppConnect SDK is a set of APIs and libraries, provided by Juniper, that allows mobile application developers to directly open socket-based SSL VPN connections to a Connect Secure Gateway. From the point of view of the Connect Secure Gateway, these tunnels mirror all other forms of AppConnect tunnels. The integration is done at the code level. Any application that integrates with the AppConnect SDK needs to be recompiled and manually deployed to the end users. The AppConnect SDK is best leveraged by container solutions or in-house applications that are deployed without the use of an MDM solution. The APIs include authentication and connection management functions. Connections can be shared across multiple applications on a single device. Contact your Juniper sales representative for more details regarding AppConnect SDK. PAC License The Pulse AppConnect (PAC) license is required for PAC feature enablement of mobile application-level VPN tunnel (also known as micro VPN tunnel) termination on SA Series and MAG Series SSL VPN gateways. AppConnect tunnels originate from applications running on an Android (4.x or later) or ios (7 or later) mobile devices for example, the ios 7 Per-App VPN or Samsung KNOX feature configured by the MDM console, or a container that has fully integrated with the Junos Pulse AppConnect SDK. The AppConnect tunnels limit traffic to only approved applications, which is different from the standard Junos Pulse Layer 3 device-level VPN tunnel where all the traffic is sent over a VPN tunnel. An AppConnect tunnel consumes one concurrent session/license, up to the concurrent licenses available. The number of concurrent licenses a single device can, or does, consume differs based on the implementation, deployment, and use case of the application-level VPN tunnels. The PAC feature is interoperable with 7.x and 8.x software versions. The PAC license is not required on the virtual appliance. PAC functionality is automatically enabled on the virtual appliance. The PAC license is perpetual. Subscription PAC license are not available. A PAC license is needed on each gateway (standalone or in an active/passive cluster). Conclusion The three deployment models for Pulse AppConnect give administrators the ability to ensure the most common mobile devices (ios and Android) can open AppConnect tunnels that terminate on a Juniper Networks Junos Pulse Connect Secure gateway. A PAC license is required when terminating AppConnect tunnels on a physical gateway. Some environments require the use of third-party MDM software. Deploying Pulse AppConnect ensures sensitive enterprise data are protected while leaving end-users personal data to travel over the standard path, limiting traffic on the enterprise network. Copyright 2014, Juniper Networks, Inc. 9

About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or +1.408.745.2000 Fax: +1.408.745.2100 www.juniper.net APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: +31.0.207.125.700 Fax: +31.0.207.125.701 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at +1-866-298-6428 or authorized reseller. Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos and QFabric are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 2000572-001-EN Apr 2014 10 Copyright 2014, Juniper Networks, Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information